@eternalsakura13 @l33d0hyun but there is already a CVE recorded for a bug with the same impact that occurred in the same component.
CVE-2025-24371 (cve.org/CVERecord?id=C…)
English
Doyeon Park
42 posts
Doyeon Park
@ehdus829
Security Researcher l @cysecschool | prev @zellic_io
대한민국 성북구 Beigetreten Temmuz 2022
168 Folgt695 Follower
@l33d0hyun I usually point out such issues during security audits, yet they are generally not accepted as valid vulnerabilities in bug bounty programs.
English
It looks like web3's 0day has been published? I don't know much about web3, but I wonder what's going on here?
Doyeon Park@ehdus829
I’m disclosing a 0-day vulnerability in the Cosmos consensus layer (CometBFT). This is a CVSS 7.1 (High) severity issue that can cause nodes in the Cosmos ecosystem—which secures over $8B+ in assets—to stall during the block synchronization phase. However, direct asset theft is not possible using this vulnerability. I made every effort to follow Coordinated Vulnerability Disclosure (CVD) for the safety of the ecosystem; however, due to the vendor’s lack of cooperation and irresponsible decisions, I have decided to proceed with disclosure. This action is taken in accordance with the vendor’s final decision. All resulting security risks are solely the responsibility of the vendor, and I will therefore disclose both the vendor’s irresponsible handling and the detailed vulnerability information in this thread.
English
@escrow_ If it can be mitigated by blocking, then it wouldn’t be considered a vulnerability. However, malicious attackers are not removed.
English
@p6rkdoye0n But you can just ban the malicious peer that is providing falsified heights and sync w/o an issue post-ban?
Plus, the attacker can't do much with this if the workaround is so easy - even if they scale.
I also see an informational, and not a 0day or a 7.1 to be honest.
English
I’m disclosing a 0-day vulnerability in the Cosmos consensus layer (CometBFT).
This is a CVSS 7.1 (High) severity issue that can cause nodes in the Cosmos ecosystem—which secures over $8B+ in assets—to stall during the block synchronization phase. However, direct asset theft is not possible using this vulnerability.
I made every effort to follow Coordinated Vulnerability Disclosure (CVD) for the safety of the ecosystem; however, due to the vendor’s lack of cooperation and irresponsible decisions, I have decided to proceed with disclosure.
This action is taken in accordance with the vendor’s final decision. All resulting security risks are solely the responsibility of the vendor, and I will therefore disclose both the vendor’s irresponsible handling and the detailed vulnerability information in this thread.
English
@FacundoMedica @yongjoojung then, if the sentinel nodes are deadlocked, the attack would succeed, right?
English
@yongjoojung @p6rkdoye0n Agree, it's being presented in a very exaggerated manner. It does make sense in a lab environment but in real life validators run with fixed peers and behind sentinel nodes. Also saying that it "can lead to a deadlock, making it impossible for the node to rejoin" is false.
English
안녕하세요. 말씀하신 것처럼 검증자 노드와 릴레이 노드는 기본적으로 검증된 고정 피어만 사용합니다. 네 그래서 대부분 Sentry 노드 사용을 권장하며, Sentry 노드가 외부와 통신을 진행하는데 만약 해당 노드가 블록 동기화 중 교착된다면 검증자 노드나 릴레이 노드 전부 고립되게 됩니다. 그래서 이때는 공격 타겟을 Sentry 노드로 잡으면 공격을 성공시킬 수 있습니다.
주소록은 하나의 rpc url에다가 `net_info` 메소드를 한번 날려보세요. 쉽게 peer들의 rpc를 구할 수 있으며 구한 rpc들에게 `status`를 보내는 방식으로 네트워크에 있는 주소록을 리스트업할 수 있습니다.
한국어
@p6rkdoye0n 기술적으로는 충분히 의미 있는 지적이라고 생각합니다. 다만 현실적인 운영 환경까지 고려하면, 일반적인 Cosmos 계열 검증인 세팅에서는 실제로 발생하기는 쉽지 않아 보입니다. 검증인노드나 릴레이노드는 확인된 고정피어만 사용하고, 어드래스북은 공유안하는게 기본이라서요.
한국어
Doyeon Park retweetet
Seeing the recent Cosmos 0-day disclosure reminds me of how they handled my report. I found an unhandled panic in the x/distribution module that causes permanent DoS and stuck funds. It already happened on Stride & BitSong, locking users' funds indefinitely. 🧵👇
Doyeon Park@ehdus829
I’m disclosing a 0-day vulnerability in the Cosmos consensus layer (CometBFT). This is a CVSS 7.1 (High) severity issue that can cause nodes in the Cosmos ecosystem—which secures over $8B+ in assets—to stall during the block synchronization phase. However, direct asset theft is not possible using this vulnerability. I made every effort to follow Coordinated Vulnerability Disclosure (CVD) for the safety of the ecosystem; however, due to the vendor’s lack of cooperation and irresponsible decisions, I have decided to proceed with disclosure. This action is taken in accordance with the vendor’s final decision. All resulting security risks are solely the responsibility of the vendor, and I will therefore disclose both the vendor’s irresponsible handling and the detailed vulnerability information in this thread.
English
@link_vector thank you for your kind words. It occurs in the Cosmos consensus layer (CometBFT)
English
@p6rkdoye0n Dude great job and you handled this proper - ignore the idiots that don't read - we need more sec. researchers like u
Shame on the vendor .. is it Cosmos hub in this case??
English
@PerkinsFund It was documented with reference to a CVE that has the same impact. please review it
cve.org/CVERecord?id=C…
English
@p6rkdoye0n Who told you this was a 7.1?
The practicality of using this is very low.
English
Doyeon Park retweetet
Very, very typical for how this kind of thing goes down in cosmos.
I saw the same kind of behavior as a long term ecosystem participant.
It's unfortunate that handling of security hasn't improved since then.
Doyeon Park@ehdus829
I’m disclosing a 0-day vulnerability in the Cosmos consensus layer (CometBFT). This is a CVSS 7.1 (High) severity issue that can cause nodes in the Cosmos ecosystem—which secures over $8B+ in assets—to stall during the block synchronization phase. However, direct asset theft is not possible using this vulnerability. I made every effort to follow Coordinated Vulnerability Disclosure (CVD) for the safety of the ecosystem; however, due to the vendor’s lack of cooperation and irresponsible decisions, I have decided to proceed with disclosure. This action is taken in accordance with the vendor’s final decision. All resulting security risks are solely the responsibility of the vendor, and I will therefore disclose both the vendor’s irresponsible handling and the detailed vulnerability information in this thread.
English
@0xphilipp Please review the text. I did not intend for this to be disclosed. I made every effort within my control, and this disclosure is solely the result of the chain team’s final decision.
English
@p6rkdoye0n Disclosing security issues publicly without first reaching out to chains is never responsible. All resulting security risks are solely on you.
English
@PerkinsFund yes, an attack can be carried out against the entire network with knowledge of just a single rpc url
English
Detailed analysis of the vulnerability and records of the vendor’s response can be found in the GitHub issue below.
github.com/cometbft/comet…
Please share this thread widely to help promote a safer security culture in the Cosmos ecosystem going forward.
@cosmos @cometbft @informalinc @interchain_io
English
The purpose of this disclosure is to protect the ecosystem, not to harm it. Therefore, with consideration for ecosystem safety, I will disclose only the technical details of the vulnerability and video evidence, and will not release the fully exploitable attack code (full PoC).
English
Doyeon Park retweetet
Blockchain Valley X DeFiHackLabs Offline Session (📅 May 27)
This session was made possible with the support of @DeFiHackLabs, a global Web3 security community. We would like to express our sincere gratitude to @DeFiHackLabs for their efforts in supporting university blockchain society in South Korea ❣
We are genuinely committed to researching Web3 security, and this session focused on the security of smart contracts. The presenters led the session with a focus on how vulnerabilities in smart contracts occur, covering both theoretical concepts and hands-on exercises 🌟
Participants engaged in lectures explaining how vulnerabilities arise in smart contracts, followed by practical sessions. Additionally, the security team members conducted a group audit of a previously completed real-world smart contract audit, allowing those unfamiliar with auditing to gain experience through discussion and collaborative practice 🫧
Also for those still new to Web3 security, the presenters — who had previously participated in development projects — were able to provide a variety of insights, making the session valuable and informative for everyone involved 🙏
Once again, we would like to express our deepest gratitude to @DeFiHackLabs for providing the most significant support for this session 🚀
English
Doyeon Park retweetet
Zellic proudly announces the EVM trackooor, a modular tool for monitoring arbitrary actions on chain.
With the amount of data that blockchains contain, it’s difficult to query and process anything that isn’t indexed event fields.
This is why we built EVM trackooor 🧵👇
GIF
English
yo wassup
BlockchainValley@blockchainkor
[Week 4 Common Session]. The head of Blockchain Valley's security team(@p6rkdoye0n) and the head of the research team(@oing8679) talked about Web3 security auditing and shared how the H4C team member(@13u9_kyeong) got started in security and the direction of their research.
English
Doyeon Park retweetet
Zellic and @immunefi are partnering to build a more secure Web3! This partnership will enable our customers to strengthen their security posture with a holistic security suite.
For more details on this partnership join our Twitter Spaces with Scroll on Thursday at 2:30pm EST!
English